-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathGet-ADMap.ps1
More file actions
105 lines (94 loc) · 3.93 KB
/
Get-ADMap.ps1
File metadata and controls
105 lines (94 loc) · 3.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
function Get-ADMap {
param (
[string]$domain = $env:USERDNSDOMAIN, # Default to current domain
[string[]]$visitedDomains = @(), # Track visited domains to avoid loops
[ref]$DiscoveredDomains = [ref]@(), # Store discovered domains and DCs
[switch]$Verbose # Enable or disable verbose output
)
# Function to handle verbose output manually
function Write-VerboseManual {
param ([string]$message, [string]$color)
if ($Verbose) {
Write-Host $message -ForegroundColor $color
}
}
# If we've already visited this domain, skip it
if ($visitedDomains -contains $domain) {
return
}
# Mark this domain as visited
$visitedDomains += $domain
Write-VerboseManual "[*] Querying $domain" "Green"
# Step 1: Get the current domain's info
Write-VerboseManual "[*] Getting domain controllers for $domain" "Cyan"
$hostname = "Unavailable"
$ipv4 = "Unavailable"
$domainSID = "Unavailable"
$forest = "Unavailable"
$netbiosName = "Unavailable"
$trustInfo = "No trusts found"
try {
$domainInfo = Get-ADDomain -Server $domain -ErrorAction Stop
$domainSID = $domainInfo.DomainSID.Value
$netbiosName = $domainInfo.NetBIOSName
$domainControllers = Get-ADDomainController -DomainName $domain -Discover -ErrorAction Stop | Select Domain, Forest, HostName, IPv4Address, Name
if ($domainControllers) {
foreach ($dc in $domainControllers) {
$hostname = $dc.HostName -join "," # Treat hostname as a string
$ipv4 = $dc.IPv4Address
$forest = $dc.Forest
}
}
} catch {
Write-VerboseManual "[!] Could not retrieve information for $domain" "Red"
}
# Step 2: Get trusts for the current domain
Write-VerboseManual "[*] Getting trusts for $domain" "Cyan"
try {
$trusts = Get-ADTrust -Server $domain -Filter * -ErrorAction Stop
if ($trusts) {
$trustInfo = ""
foreach ($trust in $trusts) {
$trustInfo += "`nDirection: $($trust.Direction), Name: $($trust.Name), Source: $($trust.Source), Target: $($trust.Target)`n"
}
$trustInfo = $trustInfo.TrimEnd() # Remove last newline
}
} catch {
Write-VerboseManual "[!] Could not retrieve trusts for $domain" "Red"
}
# Store the values in the global list
$DiscoveredDomains.Value += [pscustomobject]@{
Domain = $domain
Name = $netbiosName
DomainSID = $domainSID
Forest = $forest
Hostname = $hostname
IPv4Address = $ipv4
Trusts = $trustInfo
}
# Step 3: Process each trusted domain recursively
$trusts | ForEach-Object {
$trustedDomain = $_.Target
Get-ADMap -domain $trustedDomain -visitedDomains $visitedDomains -DiscoveredDomains $DiscoveredDomains -Verbose:$Verbose
}
# Summary
if ($visitedDomains.Count -eq 1) { # Display the summary at the end of the first recursive call
Write-Host "`n[*] Summary of discovered domains, their domain controllers, and trust relationships:" -ForegroundColor Green
if ($DiscoveredDomains.Value.Count -gt 0) {
$globalSpacing = "----------"
$DiscoveredDomains.Value | ForEach-Object {
Write-Host "$globalSpacing"
Write-Host "Domain: $($_.Domain)"
Write-Host "NETBIOS Name: $($_.Name)"
Write-Host "Domain SID: $($_.DomainSID)"
Write-Host "Forest: $($_.Forest)"
Write-Host "DC hostname: $($_.Hostname)"
Write-Host "DC IP: $($_.IPv4Address)"
Write-Host "Trusts: $($_.Trusts)"
Write-Host "$globalSpacing"
}
} else {
Write-Host "No domains discovered." -ForegroundColor Yellow
}
}
}